Scenario is that we are validating SMSESSION and we have the following queries:

TEST 1:

1. User logs in and has a valid SMSESSION.2. User account is locked temporarily in another session i.e. new login call and the user is locked/disbaled.3. Tried using the existing SMSESSION we had captured for success scenerio and noticed that the login is permitted i.e. SMSESSION is still validated.

Here, the smsession is validated even though the user is locked out inanother session. Does SM policy server check the user statusi.e. sm-disabled-flag while validating the smsession?

TEST 2:

1. User logs in and has a valid SMSESSION.2. Change the UD's DSN 3. Tried using the existing smsession we had captured for success scenerio and noticed that the login is permitted i.e. SMSESSION is still validated.

Here, still, the smsession is validated even though the UD is using incorrectDSN. Does the SM disambiguate while the validation session call?

TEST3:

1. User logs in and has a valid SMSESSION.2. Change one of the user attributes3. Tried using the existing smsession we had captured for success scenario and noticed that the login is permitted i.e. SMSESSION is still validated.

You can configure the webagent cache to have a lower lifespan. This will cause the smsession to expire sooner. However, the drawback to this is that there will be more calls made to the policy server which might affect its performance.